Making 2FA/MFA robust against smishing and related attacks

Daniel Wong

Traditionally, authentication of users of web and mobile applications has been done with username/password logins. However, attackers soon found vulnerabilities that could be exploited. Users might use weak passwords, use the same password for multiple accounts, share passwords, etc.; even with strong passwords, attackers might use social engineering to persuade the human user to bypass the protection, e.g., by revealing the password to the attacker, presenting the credentials to a malicious site where they could be captured, and so on.

2FA/MFA was introduced to make it harder for attackers, by requiring two or more proofs of identity – also known as authentication factors. These can take many forms, but can be boiled down to: something you know (e.g., a password), something you have (e.g., a cryptographic key), or something you are (e.g., a biometric ID that is unique to you) [1].

However, 2FA/MFA is not a universal panacea that can be picked off a shelf and thrown in to solve any and all challenges presented by attackers.

  • Just because something CAN be used as an authentication factor does not make it a good authentication factor. Using SMS to deliver a short-lived One-Time-Password (OTP) to a user’s mobile phone (“something you have”), is an example of an authentication factor notorious for its weaknesses. SMS relies on decades-old legacy technology with known vulnerabilities.

  • Implementation: the way an authentication factor is implemented can make a big difference in the viability of attacks/hacks against it. A little known fact is that most mobile authenticator apps can be hacked surprisingly easily, e.g., attackers can get the seed to generate the same OTP in another authenticator by exploiting a Trust Gap [2]. Hence, the implementation should be well crafted to avoid various pitfalls.

  • Resets/re-onboarding. Authentication factors need to be set-up. Sometimes, they need to be reset, e.g., when a user forgets their password, or when a software token is bound to a specific mobile device and the user gets a new phone. This introduces vulnerabilities that can be exploited. For example, if a helpdesk is involved, social engineering could be used to induce a reset in the attacker’s favor.

These days, cybercrime groups like UNC3944 [3] have reportedly been actively carrying out active attacks by exploiting vulnerabilities in implementation and resets/re-onboarding of 2FA/MFA. Even some well-known organisations have been hacked.



It is no longer enough to use just any 2FA/MFA. Besides choosing reasonably reliable authentication factors, it should come with well crafted implementations and minimizing or even eliminating the need for resets/re-onboarding. A passwordless solution would eliminate the use of passwords that can be easily phished. Appropriate use of biometrics can also effectively eliminate the need for 2FA/MFA bypass or re-onboarding. Finally, a solution that can eliminate Trust Gap issues would have to be able to defend software against attacks and provide a strong identity to the app in addition to the user. A good solution that can meet the above requirements for strong mobile-based 2FA/MFA is provided by V-Key ID [4]. It builds on the foundations of V-Key’s V-OS Smart Token, a well-crafted implementation that solves Trust Gap issues, and adds innovations such as cross-platform privacy-enabled biometrics to minimize/eliminate resets/re-onboarding. It can be used to provide strong 2FA/MFA for both your employees (using V-Key Smart Authenticator) as well as your customers (incorporating V-Key ID within your app).


[1] NIST Special Publication 800-63 Part 3 “Digital Identity Guidelines”,

[2] “Most mobile authenticator apps have a design flaw that can be hacked”,

[3] “Why are you Texting Me? UNC3944 leverages SMS ..”,

[4] “Revolutionising Universal Digital Identities with V-Key ID”,

How do we determine the effectiveness of mobile apps’ security systems?

With the spate of remote working regime due to Coronavirus pandemic, the reliance and growth for video conferencing platform has been exponentially escalated. However, most mobile apps today are nowhere near as secure as we would like them to be.

Is the detection of jailbroken/rooted phone sufficient against threats?

Functions that detect jailbroken/rooted devices are most commonly added to transactional mobile applications, serving as the most basic defense against threats. However, this is nothing but a drop in a bucket.

Why Existing Mobile Software Protections are Insufficient

Recognizing that existing mobile software protections are insufficient against today’s cyber threat landscape, we take a closer look at the main types of software protections in the market.

V-OS Protection against CPU vulnerabilities

Virtually every computing device in the world is made unsafe by the latest disclosures on Central Processing Unit (CPU) vulnerabilities. Find out how the virtual secure element technology is protecting millions of mobile application users against such vulnerabilities.

V-OS Protection against Android Plugin malware

There has been a recent surge in Android malware abusing Android Plugin Frameworks for malicious behavior. DroidPlugin, Parallel Space and VirtualApp are several plugin frameworks that have been abused by malware in recent months to spread Android malware.

Three steps to fight the Mobile Security status quo

Have financial institutions accepted a status quo that sacrifices user experience for increased security? With mobile digital identity quickly becoming central to an entire suite of online services, those who challenge the status quo will set themselves up to prosper and grow. Read more to find out three oft-ignored areas of research.

Cryptography in V-OS

V-OS is the world’s first virtual secure element. Cryptography plays a dual-role in these; to secure and manage the secrets kept within V-OS, and to provide a lightweight yet comprehensive cryptographic library.

Building V-OS with HSM

V-OS is the world’s first virtual secure element, a software solution with security built into the firmware code. These include secret cryptographic parameters and data, which need to be randomly generated and securely persisted, and are then transformed into code and data files.

How does a Virtual Smart card protect a customer if they lose or change their mobile phone?

From banks to government agencies, many organisations are intrigued by and exploring software security solutions such as mobile tokens and mobile identity systems for individual identification, authorisation and authentication.

Is software-based Biometrics Authentication the solution to ASEAN’s regulatory challenges?

Banks in Southeast Asia should look towards software-based biometrics as the way forward to navigate the regulatory differences in the region and secure their customers’ transactions.

Infographic: The next frontier in Banking transformation

As technology evolves, banks and financial institutions have no choice but to innovate. However, when it comes to security, many still rely on traditional, costly methods.

Mobile Security that works for everyone

Safe, convenient and simple.

The next wave of Finance: Singapore’s growing Fintech market

With global cumulative investment in financial technology (fintech) forecast to exceed US$150 billion in three to five years, economies around the world are vying to attract fintech innovators and cash in on this growing industry.